From 89a5812698577e826cff10f04107b9e559946ac0 Mon Sep 17 00:00:00 2001 From: npt-1707 Date: Mon, 4 May 2026 02:31:04 +0800 Subject: [PATCH] source/javascripts/vendor/jquery.js: Ajax: Mitigate possible XSS vulnerability Fixes gh-2432 --- source/javascripts/vendor/jquery.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source/javascripts/vendor/jquery.js b/source/javascripts/vendor/jquery.js index 30c2a631..d137e53e 100644 --- a/source/javascripts/vendor/jquery.js +++ b/source/javascripts/vendor/jquery.js @@ -8767,6 +8767,10 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) { // Convert response if prev dataType is non-auto and differs from current } else if ( prev !== "*" && prev !== current ) { + // Mitigate possible XSS vulnerability (gh-2432) + if ( s.crossDomain && current === "script" ) { + continue; + } // Seek a direct converter conv = converters[ prev + " " + current ] || converters[ "* " + current ];